Loading ...

Play interactive tourEdit tour

Analysis Report executable.4420.exe

Overview

General Information

Sample Name:executable.4420.exe
Analysis ID:356831
MD5:6192cfbe8e44360f7c0b6f696206f41d
SHA1:166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to upload files via FTP
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

  • System is w10x64
  • executable.4420.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\executable.4420.exe' MD5: 6192CFBE8E44360F7C0B6F696206F41D)
    • WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: executable.4420.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: executable.4420.exeReversingLabs: Detection: 74%
Machine Learning detection for sampleShow sources
Source: executable.4420.exeJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: executable.4420.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Binary contains paths to debug symbolsShow sources
Source: Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428DCB memset,FindFirstFileA,FindClose,0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,0_2_004247C9
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,0_2_004258FF
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0041B588 __EH_prolog,InternetGetConnectedState,#1199,GetDlgItem,EnableWindow,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemInt,lstrcpyA,IsDlgButtonChecked,InternetOpenA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetConnectA,#1199,GetDlgItem,EnableWindow,FtpSetCurrentDirectoryA,lstrcpyA,FtpCreateDirectoryA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,CreateFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,WriteFile,CloseHandle,CloseHandle,FtpPutFileA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileA,GetDlgItem,EnableWindow,#1199,#800,#800,0_2_0041B588
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004276F1 __EH_prolog,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,GetUserNameA,#3811,#537,#537,#924,#922,#922,#800,#800,#800,#800,#537,#537,#926,#922,FtpPutFileA,#800,#800,#800,#800,DeleteFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#800,0_2_004276F1
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,0_2_0042221F
Source: WerFault.exe, 00000004.00000003.682815138.0000000004ED6000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
Source: executable.4420.exeString found in binary or memory: http://www.blazingtools.com/
Source: executable.4420.exeString found in binary or memory: http://www.blazingtools.com/downloads.html
Source: executable.4420.exeString found in binary or memory: http://www.blazingtools.com/orderbpk.html_This
Source: executable.4420.exeString found in binary or memory: http://www.blazingtools.com/update.tmpupdates/bpk.dat
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard,0_2_00428E0F
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard,0_2_00428E0F
Source: C:\Users\user\Desktop\executable.4420.exeCode function: String function: 0043E4E0 appears 241 times
Source: C:\Users\user\Desktop\executable.4420.exeCode function: String function: 0043DE26 appears 82 times
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Source: executable.4420.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal60.winEXE@2/4@0/0
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0041C947 GetLastError,FormatMessageA,MessageBoxA,LocalFree,0_2_0041C947
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004288B3 CreateToolhelp32Snapshot,Module32First,Module32Next,memcpy,CloseHandle,0_2_004288B3
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00429112 CoCreateInstance,0_2_00429112
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042980F #1168,FindResourceA,#1168,SizeofResource,LoadResource,LockResource,#537,#538,0_2_0042980F
Source: C:\Users\user\Desktop\executable.4420.exeFile created: C:\Users\user\AppData\Roaming\BPK\Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5865.tmpJump to behavior
Source: executable.4420.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\executable.4420.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: executable.4420.exeReversingLabs: Detection: 74%
Source: unknownProcess created: C:\Users\user\Desktop\executable.4420.exe 'C:\Users\user\Desktop\executable.4420.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Source: Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00428AD2
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0043E4E0 push eax; ret 0_2_0043E4FE
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0043E690 push eax; ret 0_2_0043E6BE
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,0_2_0042221F
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\executable.4420.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\executable.4420.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\executable.4420.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\executable.4420.exeAPI coverage: 3.8 %
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 0005h and CTI: jbe 0042AB3Fh0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0014h and CTI: jbe 0042AB4Ch0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428DCB memset,FindFirstFileA,FindClose,0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,0_2_004247C9
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.685584401.0000000004EE7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000003.683034880.0000000004EA8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW^
Source: WerFault.exe, 00000004.00000003.672880218.0000000004EE7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll73
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00428AD2
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_0042AAFA CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,0_2_004258FF
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00428A6B GetVersionExA,0_2_00428A6B
Source: C:\Users\user\Desktop\executable.4420.exeCode function: 0_2_00410C1A strlen,memset,htons,inet_addr,gethostbyname,bind,memset,htons,inet_addr,gethostbyname,WSASetLastError,0_2_00410C1A

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Time Discovery11Remote ServicesClipboard Data2Exfiltration Over Alternative Protocol1Ingress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.